NetBSD Problem Report #43183
From khorben@defora.org Tue Apr 20 13:08:26 2010
Return-Path: <khorben@defora.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id 9A8A563B8BC
for <gnats-bugs@gnats.NetBSD.org>; Tue, 20 Apr 2010 13:08:26 +0000 (UTC)
Message-Id: <20100420130815.5675ED1@kwarx.defora.lan>
Date: Tue, 20 Apr 2010 15:08:15 +0200 (CEST)
From: Pierre Pronchery <khorben@defora.org>
To: gnats-bugs@gnats.NetBSD.org
Subject: net/trickle crashes on NetBSD
X-Send-Pr-Version: 3.95
>Number: 43183
>Category: pkg
>Synopsis: net/trickle loops infinitely while hijacking calls to libc's socket() on NetBSD
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Apr 20 13:10:00 +0000 2010
>Last-Modified: Tue Apr 20 14:45:00 +0000 2010
>Originator: Pierre Pronchery
>Release: NetBSD 5.0_STABLE pkgsrc-2009Q4
>Organization:
>Environment:
System: NetBSD kwarx.defora.lan 5.0_STABLE NetBSD 5.0_STABLE (GENERIC) #0: Tue Feb 16 12:20:09 CET 2010 khorben@kwarx.defora.lan:/usr/obj/sys/arch/amd64/compile/GENERIC amd64
Architecture: x86_64
Machine: amd64
>Description:
Trying to shape my SSH-based transfers using trickle on NetBSD 5.0 (pkgsrc-2009Q4), I ran into the following problem:
$ trickle -d 30 -u 30 scp -r [...]
trickle: Could not reach trickled, working independently: No such file or directory
Segmentation fault
$ gdb scp scp.core
Core was generated by `scp'.
Program terminated with signal 11, Segmentation fault.
#0 0x00007f7ffdc02085 in __socket30 ()
from /usr/pkg/lib/trickle/trickle-overload.so
(gdb) frame 10000
#10000 0x00007f7ffdc0208b in __socket30 ()
from /usr/pkg/lib/trickle/trickle-overload.so
...you get the idea.
As it seems, NetBSD's libc socket() function is a wrapper, actually reaching the syscall by calling __socket30(). This tricks trickle into an infinite, recursive loop, eventually crashing upon the first call to socket().
>How-To-Repeat:
Try to use trickle on NetBSD, it crashes.
>Fix:
Change net/trickle/patches/patch-aa to the following:
$NetBSD: patch-aa,v 1.2 2006/03/23 15:55:53 joerg Exp $
--- trickle-overload.c.orig 2003-06-02 23:13:28.000000000 +0000
+++ trickle-overload.c
@@ -191,7 +191,12 @@ trickle_init(void)
GETADDR(write);
+#ifdef __NetBSD__
+ if ((libc_socket = dlsym(dh, "__socket30")) == NULL)
+ errx(0, "[trickle] Failed to get socket() address");
+#else
GETADDR(socket);
+#endif
/* GETADDR(setsockopt); */
GETADDR(close);
@@ -476,7 +481,7 @@ select(int nfds, fd_set *rfds, fd_set *w
#if defined(__linux__) || (defined(__svr4__) && defined(__sun__))
int
poll(struct pollfd *fds, nfds_t nfds, int __timeout)
-#elif defined(__FreeBSD__)
+#elif defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(__DragonFly__)
int
poll(struct pollfd *fds, unsigned int nfds, int __timeout)
#else
>Audit-Trail:
From: Tobias Nygren <tnn@NetBSD.org>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: pkg/43183: net/trickle crashes on NetBSD
Date: Tue, 20 Apr 2010 16:44:17 +0200
On Tue, 20 Apr 2010 13:10:01 +0000 (UTC)
Pierre Pronchery <khorben@defora.org> wrote:
> As it seems, NetBSD's libc socket() function is a wrapper, actually reaching the syscall by calling __socket30(). This tricks trickle into an infinite, recursive loop, eventually crashing upon the first call to socket().
This is probably the same bug that makes net/tsocks crash when used
with ssh(1).
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home